Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.6.0
-
None
Description
Encouraging non encrypted login is definitely a bad practice and could lead to session fixation (where the attacker logs in first then the victim do not realize it's login fails).
We should make the safe 'plainAuthDisallowed' option the default everywhere.